@elizaos/vault 2.0.0-alpha.537

package/README.md

@@ -0,0 +1,159 @@
+# @elizaos/vault
+
+Simple secrets/config vault for Eliza. **One** API for sensitive
+credentials and non-sensitive configuration.
+
+## Why this exists
+
+Eliza's Settings flow had four real bugs that all came from the same
+root cause — credentials and config were scattered across multiple
+writers, multiple file layouts, and a guess-which-field-is-the-key
+heuristic. The vault is the single seam those bugs disappear behind:
+
+1. **Model slug overwrote API key** — the save path used
+   `Object.values(config).find(non-empty)` to identify the credential,
+   so typing the model field before the API-key field corrupted the
+   key. The vault's typed API makes this structurally impossible.
+2. **Dual writer** — values landed in `env.X` AND `env.vars.X`. One
+   writer, one storage location.
+3. **Orphan `tts/media/embeddings/rpc` routes after Eliza Cloud
+   disconnect** — fixed at the disconnect-handler level by clearing
+   the routes when the account unlinks.
+4. **No reveal** — saved values were write-only. `vault.reveal(key)`
+   round-trips through the audit log.
+
+## API
+
+```ts
+import { createVault } from "@elizaos/vault";
+
+const vault = createVault();
+
+// Same call signature for sensitive and non-sensitive:
+await vault.set("openrouter.apiKey", "sk-or-v1-...", { sensitive: true });
+await vault.set("ui.theme", "dark");
+
+// Reads:
+await vault.get("openrouter.apiKey");      // → "sk-or-v1-..."
+await vault.has("openrouter.apiKey");      // → true
+await vault.describe("openrouter.apiKey"); // → { source, sensitive, lastModified }
+await vault.reveal("openrouter.apiKey", "settings-ui"); // logged in audit
+await vault.list();                         // → all keys, no values
+await vault.list("openrouter");             // → prefix-filtered
+await vault.remove("openrouter.apiKey");
+await vault.stats();                        // → { total, sensitive, nonSensitive, references }
+
+// Password-manager references — value lives there, vault stores reference:
+await vault.setReference("openrouter.apiKey", {
+  source: "1password",
+  path: "Personal/OpenRouter/api-key",
+});
+```
+
+## SecretsManager — pick which password managers to use
+
+The `Vault` is the storage primitive. The `SecretsManager` sits on top
+and routes direct writes based on user preferences. External password
+managers are not written through this API yet; callers store references
+with `vault.setReference()` after the value already exists in the vendor
+tool.
+
+```ts
+import { createManager } from "@elizaos/vault";
+
+const manager = createManager();
+
+// Probe what's available on this machine:
+const statuses = await manager.detectBackends();
+//   [
+//     { id: "in-house",   available: true,  signedIn: true,  label: "Eliza (local, encrypted)" },
+//     { id: "1password",  available: true,  signedIn: true,  label: "1Password" },
+//     { id: "bitwarden",  available: true,  signedIn: false, label: "Bitwarden", detail: "...not signed in. Run `bw login`." },
+//     { id: "protonpass", available: false,                 label: "Proton Pass", detail: "...not installed (CLI in beta)." },
+//   ]
+
+// User picks their backends in Settings:
+await manager.setPreferences({
+  enabled: ["1password", "in-house"],
+  routing: { "anthropic.apiKey": "in-house" }, // optional per-key override
+});
+
+// External direct writes fail loudly until vendor write semantics exist:
+await manager.set("openrouter.apiKey", "sk-or-...", { sensitive: true });
+// → throws: backend "1password" cannot accept direct writes yet
+
+// Store explicit references through the vault primitive:
+await manager.vault.setReference("openrouter.apiKey", {
+  source: "1password",
+  path: "Personal/OpenRouter/api-key",
+});
+
+await manager.set("anthropic.apiKey", "sk-ant-...", { sensitive: true });
+// → in-house (per-key override above)
+
+await manager.set("ui.theme", "dark");
+// → always in-house (non-sensitive values don't go to password managers)
+```
+
+**Three modes the user can run in:**
+
+- **None** — nothing enabled but `in-house`. Default. Local-only.
+- **One** — pick 1Password OR Proton Pass OR Bitwarden. Direct sensitive
+  writes fail until vendor write support exists; explicit references can
+  still be stored with `vault.setReference()`.
+- **All** — all backends enabled. Per-key routing in Settings, or just
+  use the priority order.
+
+`in-house` is always available. External backend failures are surfaced
+instead of silently falling back to local storage.
+
+## Storage
+
+- **Sensitive values** — AES-256-GCM encrypted at rest with the vault
+  key as additional authenticated data. Master key in OS keychain
+  (cross-platform via `@napi-rs/keyring`: macOS Keychain, Windows
+  Credential Manager, Linux libsecret).
+- **Non-sensitive values** — plaintext in `~/.eliza/vault.json`
+  (mode 0600). Atomic-rename writes.
+- **References** — stored as `{ source, path }`. The actual value lives
+  in 1Password / Proton Pass; resolved at use time via the vendor's
+  CLI.
+
+## Sync
+
+Sync = your existing tools. If you want secrets across devices, store
+them as 1Password references — 1Password syncs your vault, the
+references stay portable, your secrets follow. We don't build a
+separate cloud sync.
+
+## Audit log
+
+Every operation appends one JSONL line to
+`~/.eliza/audit/vault.jsonl`:
+
+```jsonl
+{"ts":1714330000000,"action":"set","key":"openrouter.apiKey"}
+{"ts":1714330000010,"action":"get","key":"openrouter.apiKey"}
+{"ts":1714330000020,"action":"reveal","key":"openrouter.apiKey","caller":"settings-ui"}
+```
+
+Records keys, never values. Pass an optional `caller` to `reveal()` so
+the log shows who asked.
+
+## Testing
+
+```ts
+import { createTestVault } from "@elizaos/vault/testing";
+
+const test = await createTestVault({
+  values:  { "ui.theme": "dark" },
+  secrets: { "openrouter.apiKey": "test-key" },
+});
+
+await test.vault.set("openai.apiKey", "test-2", { sensitive: true });
+const records = await test.getAuditRecords();
+await test.dispose();
+```
+
+Real vault, real encryption, real audit log — temp dir cleaned up on
+`dispose()`. No OS keychain access (uses an in-memory master key).

package/dist/audit.d.ts

@@ -0,0 +1,14 @@
+import type { AuditRecord, VaultLogger } from "./types.js";
+/**
+ * Append-only JSONL audit log. One line per vault operation. Records
+ * keys, never values.
+ */
+export declare class AuditLog {
+    private readonly path;
+    private readonly logger?;
+    constructor(path: string, logger?: VaultLogger | undefined);
+    record(entry: Omit<AuditRecord, "ts"> & {
+        ts?: number;
+    }): Promise<void>;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE3D;;;GAGG;AACH,qBAAa,QAAQ;IAEjB,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBADP,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,WAAW,YAAA;IAGjC,MAAM,CACV,KAAK,EAAE,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG;QAAE,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,GAC/C,OAAO,CAAC,IAAI,CAAC;CAcjB"}

package/dist/audit.js

@@ -0,0 +1,27 @@
+import { promises as fs } from "node:fs";
+import { dirname } from "node:path";
+/**
+ * Append-only JSONL audit log. One line per vault operation. Records
+ * keys, never values.
+ */
+export class AuditLog {
+    path;
+    logger;
+    constructor(path, logger) {
+        this.path = path;
+        this.logger = logger;
+    }
+    async record(entry) {
+        const record = { ts: entry.ts ?? Date.now(), ...entry };
+        const line = `${JSON.stringify(record)}\n`;
+        try {
+            await fs.mkdir(dirname(this.path), { recursive: true });
+            await fs.appendFile(this.path, line, { mode: 0o600 });
+        }
+        catch (err) {
+            // Audit failure must not block the caller, but it must be visible.
+            this.logger?.warn(`[vault] failed to append audit record to ${this.path}`, err);
+        }
+    }
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC;;;GAGG;AACH,MAAM,OAAO,QAAQ;IAEA;IACA;IAFnB,YACmB,IAAY,EACZ,MAAoB;QADpB,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAAc;IACpC,CAAC;IAEJ,KAAK,CAAC,MAAM,CACV,KAAgD;QAEhD,MAAM,MAAM,GAAgB,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,GAAG,KAAK,EAAE,CAAC;QACrE,MAAM,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC;QAC3C,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACxD,MAAM,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,IAAI,CAAC,MAAM,EAAE,IAAI,CACf,4CAA4C,IAAI,CAAC,IAAI,EAAE,EACvD,GAAG,CACJ,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/credentials.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Saved-login helpers for in-app browser autofill.
+ *
+ * The browser tab preload detects login forms and asks the host for
+ * matching credentials. The host reads them from the vault using the
+ * helpers here. Storage layout:
+ *
+ *   creds.<domain>.<account>           → JSON-encoded SavedLoginRecord, sensitive
+ *   creds.<domain>.__autoallow         → "1" / "0", non-sensitive (whitelist toggle)
+ *
+ * `<domain>` is the registrable hostname (e.g. `github.com`, no port).
+ * `<account>` is the URL-encoded username (so `@`, `/`, `.` are safe in
+ * the segment). Vault prefix matching uses dot segments, so listing
+ * `creds.github.com` returns every account under that domain plus the
+ * autoallow flag.
+ *
+ * Sensitive values are AES-GCM encrypted by the vault. Listing returns
+ * metadata only — passwords are never copied into the listing payload.
+ */
+import type { Vault } from "./vault.js";
+export interface SavedLogin {
+    /** Registrable hostname, e.g. `github.com`. Lower-cased on write. */
+    readonly domain: string;
+    /** User identifier as typed: email, handle, etc. */
+    readonly username: string;
+    /** Plaintext password. Encrypted at rest by the vault. */
+    readonly password: string;
+    /** TOTP seed for sites with 2FA. */
+    readonly otpSeed?: string;
+    /** Free-form note. */
+    readonly notes?: string;
+    /** Unix ms of last write. Set by `setSavedLogin`. */
+    readonly lastModified: number;
+}
+export interface SavedLoginSummary {
+    readonly domain: string;
+    readonly username: string;
+    readonly lastModified: number;
+}
+/** Persist (or replace) a login. Stamps `lastModified` automatically. */
+export declare function setSavedLogin(vault: Vault, login: Omit<SavedLogin, "lastModified">): Promise<void>;
+/** Read a login. Returns null when missing. */
+export declare function getSavedLogin(vault: Vault, domain: string, username: string): Promise<SavedLogin | null>;
+/**
+ * List logins. With no `domain`, returns every saved login summary
+ * across the vault. With a domain, scopes to that hostname.
+ *
+ * Returns metadata only. The password values stay encrypted at rest;
+ * callers must `getSavedLogin` to decrypt one entry at a time.
+ */
+export declare function listSavedLogins(vault: Vault, domain?: string): Promise<readonly SavedLoginSummary[]>;
+/** Remove a single login. Idempotent. */
+export declare function deleteSavedLogin(vault: Vault, domain: string, username: string): Promise<void>;
+/** Read the autoallow flag for a domain. False when unset. */
+export declare function getAutofillAllowed(vault: Vault, domain: string): Promise<boolean>;
+/** Toggle the autoallow flag. `true` skips consent on next autofill for that domain. */
+export declare function setAutofillAllowed(vault: Vault, domain: string, allowed: boolean): Promise<void>;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAQxC,MAAM,WAAW,UAAU;IACzB,qEAAqE;IACrE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,oDAAoD;IACpD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,0DAA0D;IAC1D,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,oCAAoC;IACpC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,sBAAsB;IACtB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAwBD,yEAAyE;AACzE,wBAAsB,aAAa,CACjC,KAAK,EAAE,KAAK,EACZ,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,GACtC,OAAO,CAAC,IAAI,CAAC,CAuBf;AAED,+CAA+C;AAC/C,wBAAsB,aAAa,CACjC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAM5B;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,KAAK,EACZ,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,SAAS,iBAAiB,EAAE,CAAC,CAyBvC;AAED,yCAAyC;AACzC,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC,CAEf;AAED,8DAA8D;AAC9D,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAKlB;AAED,wFAAwF;AACxF,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,GACf,OAAO,CAAC,IAAI,CAAC,CAEf"}

package/dist/credentials.js

@@ -0,0 +1,157 @@
+/**
+ * Saved-login helpers for in-app browser autofill.
+ *
+ * The browser tab preload detects login forms and asks the host for
+ * matching credentials. The host reads them from the vault using the
+ * helpers here. Storage layout:
+ *
+ *   creds.<domain>.<account>           → JSON-encoded SavedLoginRecord, sensitive
+ *   creds.<domain>.__autoallow         → "1" / "0", non-sensitive (whitelist toggle)
+ *
+ * `<domain>` is the registrable hostname (e.g. `github.com`, no port).
+ * `<account>` is the URL-encoded username (so `@`, `/`, `.` are safe in
+ * the segment). Vault prefix matching uses dot segments, so listing
+ * `creds.github.com` returns every account under that domain plus the
+ * autoallow flag.
+ *
+ * Sensitive values are AES-GCM encrypted by the vault. Listing returns
+ * metadata only — passwords are never copied into the listing payload.
+ */
+const PREFIX = "creds";
+// Sentinel for the per-domain autoallow flag. The colon prefix is URL-
+// encoded by `encodeAccount`, so a literal username `:autoallow` lives at
+// `%3Aautoallow` and cannot collide with this sentinel.
+const AUTOALLOW_SEGMENT = ":autoallow";
+/** Encode an account segment so vault key parsing stays unambiguous. */
+function encodeAccount(username) {
+    return encodeURIComponent(username);
+}
+function decodeAccount(segment) {
+    return decodeURIComponent(segment);
+}
+/** Lower-case domains so `Github.com` and `github.com` collide. */
+function normalizeDomain(domain) {
+    return domain.trim().toLowerCase();
+}
+function loginKey(domain, username) {
+    return `${PREFIX}.${normalizeDomain(domain)}.${encodeAccount(username)}`;
+}
+function autoallowKey(domain) {
+    return `${PREFIX}.${normalizeDomain(domain)}.${AUTOALLOW_SEGMENT}`;
+}
+/** Persist (or replace) a login. Stamps `lastModified` automatically. */
+export async function setSavedLogin(vault, login) {
+    if (login.domain.trim().length === 0) {
+        throw new TypeError("setSavedLogin: domain required");
+    }
+    if (login.username.length === 0) {
+        throw new TypeError("setSavedLogin: username required");
+    }
+    if (typeof login.password !== "string" || login.password.length === 0) {
+        throw new TypeError("setSavedLogin: password required");
+    }
+    const record = {
+        domain: normalizeDomain(login.domain),
+        username: login.username,
+        password: login.password,
+        ...(login.otpSeed ? { otpSeed: login.otpSeed } : {}),
+        ...(login.notes ? { notes: login.notes } : {}),
+        lastModified: Date.now(),
+    };
+    await vault.set(loginKey(login.domain, login.username), JSON.stringify(record), { sensitive: true });
+}
+/** Read a login. Returns null when missing. */
+export async function getSavedLogin(vault, domain, username) {
+    const key = loginKey(domain, username);
+    const has = await vault.has(key);
+    if (!has)
+        return null;
+    const raw = await vault.get(key);
+    return parseLogin(raw);
+}
+/**
+ * List logins. With no `domain`, returns every saved login summary
+ * across the vault. With a domain, scopes to that hostname.
+ *
+ * Returns metadata only. The password values stay encrypted at rest;
+ * callers must `getSavedLogin` to decrypt one entry at a time.
+ */
+export async function listSavedLogins(vault, domain) {
+    const prefix = domain ? `${PREFIX}.${normalizeDomain(domain)}` : PREFIX;
+    const keys = await vault.list(prefix);
+    const summaries = [];
+    const failures = [];
+    for (const key of keys) {
+        const parsed = parseLoginKey(key);
+        if (!parsed)
+            continue;
+        if (parsed.account === AUTOALLOW_SEGMENT)
+            continue;
+        const descriptor = await vault.describe(key);
+        if (!descriptor)
+            continue;
+        // describe() returns lastModified directly; we don't need to
+        // decrypt the value to render the listing UI.
+        summaries.push({
+            domain: parsed.domain,
+            username: decodeAccount(parsed.account),
+            lastModified: descriptor.lastModified,
+        });
+    }
+    if (failures.length > 0) {
+        throw new Error(`listSavedLogins: failed to describe ${failures.length} key(s): ${failures.join(", ")}`);
+    }
+    return summaries;
+}
+/** Remove a single login. Idempotent. */
+export async function deleteSavedLogin(vault, domain, username) {
+    await vault.remove(loginKey(domain, username));
+}
+/** Read the autoallow flag for a domain. False when unset. */
+export async function getAutofillAllowed(vault, domain) {
+    const key = autoallowKey(domain);
+    if (!(await vault.has(key)))
+        return false;
+    const raw = await vault.get(key);
+    return raw === "1";
+}
+/** Toggle the autoallow flag. `true` skips consent on next autofill for that domain. */
+export async function setAutofillAllowed(vault, domain, allowed) {
+    await vault.set(autoallowKey(domain), allowed ? "1" : "0");
+}
+function parseLoginKey(key) {
+    // creds.<domain>.<account-or-flag>
+    // We split on the first two dots: the first separates the prefix,
+    // the second separates the domain from the account segment.
+    if (!key.startsWith(`${PREFIX}.`))
+        return null;
+    const rest = key.slice(PREFIX.length + 1);
+    // The domain part itself contains dots (e.g. github.com), so the
+    // account segment is everything after the LAST dot.
+    const lastDot = rest.lastIndexOf(".");
+    if (lastDot <= 0)
+        return null;
+    const domain = rest.slice(0, lastDot);
+    const account = rest.slice(lastDot + 1);
+    if (!domain || !account)
+        return null;
+    return { domain, account };
+}
+function parseLogin(raw) {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.domain !== "string" ||
+        typeof parsed.username !== "string" ||
+        typeof parsed.password !== "string" ||
+        typeof parsed.lastModified !== "number") {
+        throw new Error(`vault credentials: stored entry is malformed (got keys: ${Object.keys(parsed).join(", ")})`);
+    }
+    return {
+        domain: parsed.domain,
+        username: parsed.username,
+        password: parsed.password,
+        ...(parsed.otpSeed ? { otpSeed: parsed.otpSeed } : {}),
+        ...(parsed.notes ? { notes: parsed.notes } : {}),
+        lastModified: parsed.lastModified,
+    };
+}
+//# sourceMappingURL=credentials.js.map

package/dist/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,MAAM,MAAM,GAAG,OAAO,CAAC;AACvB,uEAAuE;AACvE,0EAA0E;AAC1E,wDAAwD;AACxD,MAAM,iBAAiB,GAAG,YAAY,CAAC;AAuBvC,wEAAwE;AACxE,SAAS,aAAa,CAAC,QAAgB;IACrC,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,mEAAmE;AACnE,SAAS,eAAe,CAAC,MAAc;IACrC,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,QAAQ,CAAC,MAAc,EAAE,QAAgB;IAChD,OAAO,GAAG,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC3E,CAAC;AAED,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO,GAAG,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;AACrE,CAAC;AAED,yEAAyE;AACzE,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAY,EACZ,KAAuC;IAEvC,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,SAAS,CAAC,gCAAgC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,kCAAkC,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtE,MAAM,IAAI,SAAS,CAAC,kCAAkC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,MAAM,GAAe;QACzB,MAAM,EAAE,eAAe,CAAC,KAAK,CAAC,MAAM,CAAC;QACrC,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9C,YAAY,EAAE,IAAI,CAAC,GAAG,EAAE;KACzB,CAAC;IACF,MAAM,KAAK,CAAC,GAAG,CACb,QAAQ,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,QAAQ,CAAC,EACtC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EACtB,EAAE,SAAS,EAAE,IAAI,EAAE,CACpB,CAAC;AACJ,CAAC;AAED,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAY,EACZ,MAAc,EACd,QAAgB;IAEhB,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAY,EACZ,MAAe;IAEf,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IACxE,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,SAAS,GAAwB,EAAE,CAAC;IAC1C,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,IAAI,MAAM,CAAC,OAAO,KAAK,iBAAiB;YAAE,SAAS;QACnD,MAAM,UAAU,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,CAAC,UAAU;YAAE,SAAS;QAC1B,6DAA6D;QAC7D,8CAA8C;QAC9C,SAAS,CAAC,IAAI,CAAC;YACb,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC;YACvC,YAAY,EAAE,UAAU,CAAC,YAAY;SACtC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,uCAAuC,QAAQ,CAAC,MAAM,YAAY,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACxF,CAAC;IACJ,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,yCAAyC;AACzC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAY,EACZ,MAAc,EACd,QAAgB;IAEhB,MAAM,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,8DAA8D;AAC9D,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAY,EACZ,MAAc;IAEd,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,KAAK,GAAG,CAAC;AACrB,CAAC;AAED,wFAAwF;AACxF,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAY,EACZ,MAAc,EACd,OAAgB;IAEhB,MAAM,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AAC7D,CAAC;AASD,SAAS,aAAa,CAAC,GAAW;IAChC,mCAAmC;IACnC,kEAAkE;IAClE,4DAA4D;IAC5D,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC1C,iEAAiE;IACjE,oDAAoD;IACpD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,OAAO,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAwB,CAAC;IACtD,IACE,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ;QACjC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;QACnC,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ;QACnC,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,EACvC,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2DAA2D,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAC7F,CAAC;IACJ,CAAC;IACD,OAAO;QACL,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAChD,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC;AACJ,CAAC"}

package/dist/crypto.d.ts

@@ -0,0 +1,18 @@
+/**
+ * AES-256-GCM envelope for a single value.
+ *
+ * Wire format: `v1:<nonce_b64>:<tag_b64>:<ct_b64>` (all base64).
+ *   - nonce: 12 bytes (96-bit GCM standard)
+ *   - tag:   16 bytes (128-bit auth tag)
+ *
+ * The vault key is bound as additional authenticated data (AAD) so a
+ * swapped ciphertext between slots fails decryption.
+ */
+export declare const KEY_BYTES = 32;
+export declare class CryptoError extends Error {
+    constructor(message: string);
+}
+export declare function generateMasterKey(): Buffer;
+export declare function encrypt(masterKey: Buffer, plaintext: string, aad: string): string;
+export declare function decrypt(masterKey: Buffer, ciphertext: string, aad: string): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AAEH,eAAO,MAAM,SAAS,KAAK,CAAC;AAI5B,qBAAa,WAAY,SAAQ,KAAK;gBACxB,OAAO,EAAE,MAAM;CAI5B;AAED,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,wBAAgB,OAAO,CACrB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,GACV,MAAM,CAUR;AAED,wBAAgB,OAAO,CACrB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,MAAM,GACV,MAAM,CAkCR"}

package/dist/crypto.js

@@ -0,0 +1,67 @@
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+/**
+ * AES-256-GCM envelope for a single value.
+ *
+ * Wire format: `v1:<nonce_b64>:<tag_b64>:<ct_b64>` (all base64).
+ *   - nonce: 12 bytes (96-bit GCM standard)
+ *   - tag:   16 bytes (128-bit auth tag)
+ *
+ * The vault key is bound as additional authenticated data (AAD) so a
+ * swapped ciphertext between slots fails decryption.
+ */
+export const KEY_BYTES = 32;
+const NONCE_BYTES = 12;
+const TAG_BYTES = 16;
+export class CryptoError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "CryptoError";
+    }
+}
+export function generateMasterKey() {
+    return randomBytes(KEY_BYTES);
+}
+export function encrypt(masterKey, plaintext, aad) {
+    if (masterKey.length !== KEY_BYTES) {
+        throw new CryptoError(`master key must be ${KEY_BYTES} bytes`);
+    }
+    const nonce = randomBytes(NONCE_BYTES);
+    const cipher = createCipheriv("aes-256-gcm", masterKey, nonce);
+    cipher.setAAD(Buffer.from(aad, "utf8"));
+    const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `v1:${nonce.toString("base64")}:${tag.toString("base64")}:${ct.toString("base64")}`;
+}
+export function decrypt(masterKey, ciphertext, aad) {
+    if (masterKey.length !== KEY_BYTES) {
+        throw new CryptoError(`master key must be ${KEY_BYTES} bytes`);
+    }
+    const parts = ciphertext.split(":");
+    if (parts.length !== 4 || parts[0] !== "v1") {
+        throw new CryptoError("malformed ciphertext or unsupported version");
+    }
+    const nonceB64 = parts[1];
+    const tagB64 = parts[2];
+    const ctB64 = parts[3];
+    if (nonceB64 === undefined || tagB64 === undefined || ctB64 === undefined) {
+        throw new CryptoError("malformed ciphertext");
+    }
+    const nonce = Buffer.from(nonceB64, "base64");
+    const tag = Buffer.from(tagB64, "base64");
+    const ct = Buffer.from(ctB64, "base64");
+    if (nonce.length !== NONCE_BYTES || tag.length !== TAG_BYTES) {
+        throw new CryptoError("malformed ciphertext");
+    }
+    const decipher = createDecipheriv("aes-256-gcm", masterKey, nonce);
+    decipher.setAAD(Buffer.from(aad, "utf8"));
+    decipher.setAuthTag(tag);
+    try {
+        return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+    }
+    catch (err) {
+        throw new CryptoError(err instanceof Error
+            ? `decryption failed: ${err.message}`
+            : "decryption failed");
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE5E;;;;;;;;;GASG;AAEH,MAAM,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC;AAC5B,MAAM,WAAW,GAAG,EAAE,CAAC;AACvB,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB;IAC/B,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,SAAiB,EACjB,SAAiB,EACjB,GAAW;IAEX,IAAI,SAAS,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,IAAI,WAAW,CAAC,sBAAsB,SAAS,QAAQ,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAC/D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;IACxC,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,MAAM,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC7F,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,SAAiB,EACjB,UAAkB,EAClB,GAAW;IAEX,IAAI,SAAS,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACnC,MAAM,IAAI,WAAW,CAAC,sBAAsB,SAAS,QAAQ,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC5C,MAAM,IAAI,WAAW,CAAC,6CAA6C,CAAC,CAAC;IACvE,CAAC;IACD,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACxB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,KAAK,SAAS,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1E,MAAM,IAAI,WAAW,CAAC,sBAAsB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC1C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7D,MAAM,IAAI,WAAW,CAAC,sBAAsB,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IACnE,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1C,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CACpE,MAAM,CACP,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,WAAW,CACnB,GAAG,YAAY,KAAK;YAClB,CAAC,CAAC,sBAAsB,GAAG,CAAC,OAAO,EAAE;YACrC,CAAC,CAAC,mBAAmB,CACxB,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/external-credentials.d.ts

@@ -0,0 +1,62 @@
+/**
+ * External credential adapters for password-manager backends.
+ *
+ * Reads Login items out of `op` (1Password) and `bw` (Bitwarden) using the
+ * session token persisted by the secrets-manager installer at
+ * `pm.<backend>.session`. Returns a uniform shape so the manager layer can
+ * merge them with the in-house saved-logins list.
+ *
+ *   list*  → metadata only, never returns passwords
+ *   reveal* → explicit second step, returns username + password (+ totp)
+ *
+ * The CLI is shelled out via an injected `ExecFn` so tests can stub the
+ * subprocess without spawning real processes.
+ */
+import type { Vault } from "./vault.js";
+export type ExternalLoginSource = "1password" | "bitwarden";
+export interface ExternalLoginListEntry {
+    readonly source: ExternalLoginSource;
+    /** op item id / bw item id — opaque to callers. */
+    readonly externalId: string;
+    readonly title: string;
+    readonly username: string;
+    /** Best-effort registrable hostname extracted from urls[0]; null when none. */
+    readonly domain: string | null;
+    readonly url: string | null;
+    /** Epoch ms; 0 when the backend didn't supply a timestamp. */
+    readonly updatedAt: number;
+}
+export interface ExternalLoginReveal extends ExternalLoginListEntry {
+    readonly password: string;
+    readonly totp?: string;
+}
+export declare class BackendNotSignedInError extends Error {
+    readonly source: ExternalLoginSource;
+    constructor(source: ExternalLoginSource);
+}
+/**
+ * Subprocess executor injected by the manager (tests pass a stub).
+ *
+ * Mirrors `node:child_process.execFile` with promises: returns combined
+ * stdout/stderr, throws on non-zero exit. The `env` option matters for
+ * Bitwarden (BW_SESSION) — 1Password uses an explicit `--session` flag.
+ */
+export type ExecFn = (cmd: string, args: readonly string[], opts: {
+    readonly env?: NodeJS.ProcessEnv;
+    readonly timeoutMs?: number;
+    readonly stdin?: string;
+}) => Promise<{
+    readonly stdout: string;
+    readonly stderr: string;
+}>;
+export declare function listOnePasswordLogins(vault: Vault, exec: ExecFn): Promise<readonly ExternalLoginListEntry[]>;
+export declare function revealOnePasswordLogin(vault: Vault, exec: ExecFn, externalId: string): Promise<ExternalLoginReveal>;
+export declare function listBitwardenLogins(vault: Vault, exec: ExecFn): Promise<readonly ExternalLoginListEntry[]>;
+export declare function revealBitwardenLogin(vault: Vault, exec: ExecFn, externalId: string): Promise<ExternalLoginReveal>;
+/**
+ * Production `ExecFn` wrapping `node:child_process.execFile`. Tests inject
+ * stubs instead of using this. Lives here so callers can `import` a single
+ * default rather than wiring `child_process` themselves.
+ */
+export declare function defaultExecFn(): ExecFn;
+//# sourceMappingURL=external-credentials.d.ts.map

package/dist/external-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"external-credentials.d.ts","sourceRoot":"","sources":["../src/external-credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAExC,MAAM,MAAM,mBAAmB,GAAG,WAAW,GAAG,WAAW,CAAC;AAE5D,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,MAAM,EAAE,mBAAmB,CAAC;IACrC,mDAAmD;IACnD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,+EAA+E;IAC/E,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,mBAAoB,SAAQ,sBAAsB;IACjE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,uBAAwB,SAAQ,KAAK;IACpC,QAAQ,CAAC,MAAM,EAAE,mBAAmB;gBAA3B,MAAM,EAAE,mBAAmB;CAIjD;AAED;;;;;;GAMG;AACH,MAAM,MAAM,MAAM,GAAG,CACnB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,EAAE;IACJ,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,UAAU,CAAC;IACjC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB,KACE,OAAO,CAAC;IAAE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AAgCnE,wBAAsB,qBAAqB,CACzC,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,SAAS,sBAAsB,EAAE,CAAC,CAyC5C;AAED,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAwC9B;AAsDD,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,SAAS,sBAAsB,EAAE,CAAC,CA+B5C;AAED,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,KAAK,EACZ,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAiC9B;AAuJD;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,MAAM,CA8BtC"}